Highlights

• Balanced, expandable support for secure Web serving. Reduces SSL processing bottlenecks, making secure e-business applications easier to implement.
• High speed, secure cryptographic hardware. Add optional PCI Cryptographic Coprocessors alongside the CMOS Cryptographic Coprocessor standard feature to meet your growth needs.
• Enhances zSeries and S/390's industry leading hardware cryptographic support of e-commerce and financial applications. Provides new public-key cryptographic functions.
• Support integrated into z/OS and OS/390 V2 R9. Choice of APIs: IBM CCA, CDSA, and BSAFE.
• Tamper-responding design based on IBM 4758 PCI Cryptographic Coprocessor technology.
• Optional Trusted Key Entry (TKE) system. Secure entry and management of master cryptographic keys.

Overview
The IBM PCI Cryptographic Coprocessor (PCICC) is an orderable feature that adds additional cryptographic function and cryptographic performance to IBM zSeries and IBM S/390 G5/G6 servers. PCICC features can be installed as needed to provide increasing cryptographic processing capacity as customers expand their usage of e-business applications requiring cryptographic processing. Up to eight Dual PCICC features, each containing 2 PCI Cryptographic Coprocessors, can be installed in a single zSeries server. Up to eight PCICC features, each containing one PCI Cryptographic Coprocessor, can be installed in a single S/390 G5 or G6 server. The IBM PCI Cryptographic Coprocessor feature coexists with and augments the IBM CMOS Cryptographic Coprocessor, standard on zSeries 900, and S/390 G5 and G6 servers.

Exceptional Performance for e-commerce SSL
Performance measurements of a fully configured PCICC implementation on a G6 server (8 PCICC features installed) show that a single G6 server can process 1000 SSL transactions/sec. A zSeries 900 server with eight Dual PCICC features installed can process 2000 SSL transactions/sec. The measurements were made at the System SSL application API layer and reflect the underlying performance of the PCI and CMOS Cryptographic Coprocessors, as well as the efficient load balancing of cryptographic operations performed by OS/390.

Integrated Support in z/OS and OS/390
Support for PCICC is provided by z/OS and by OS/390 V2R9 with new ICSF functions. ICSF will transparently route application requests for cryptographic services to the appropriate cryptographic coprocessor. Either a CMOS Cryptographic Coprocessor or a PCICC will be invoked (depending on performance or cryptographic function) to perform the cryptographic operation. Routing tables internal to z/OS and OS/390 ICSF determine which operations will be performed by CMOS Cryptographic Coprocessor or by PCI Cryptographic Coprocessor. For those operations that are supported and perform well on either type coprocessor (such as SSL - which is a heavy user of Private Key Decrypt operations), ICSF will load balance the workload across all the available coprocessors. For operations supported only by PCICC such as RSA Key Generate, ICSF will route the request only to an available PCICC. Other routing decisions take into account the relative performance of specific operations on a specific type of coprocessor.

New Functions
In addition to providing enhanced performance, the PCICC feature provides several additional cryptographic functions which enhance the security of public/private key encryption processing:

• RSA Key generation for public/private key pair generation
• 2048-bit RSA signature generation
• Retained Key support (RSA private keys generated and kept stored within the secure hardware boundary)
• Functions needed to migrate applications from using IBM 4753 Transaction Security Server - an external channel attached cryptographic processing unit. (z/OS or OS/390 V2R10 required)
• Customizable User Defined Extensions (UDX) for implementing unique customer application functions. (z/OS or OS/390 V2R10 required)

Proven, Secure, Technology
Each PCICC feature is built around an IBM 4758-2 PCI Cryptographic Coprocessor card embedded in an adapter package. The IBM 4758-2 has received FIPS 140-1 Level 4 certification from NIST (U. S. National Instutute of Standards and Technology).

Additional Information
Combined PCICC and CMOS Cryptographic Coprocessor application considerations are included in OS/390 V2R10 ICSF Publications.